Just playing with ideas really but I would like to try setting up a VPN, accessed over IPv4, but where everything within it is IPv6. There's a few reasons, but they're mostly that I don't know enough IPv6 so it would force me to get to grips with it when working within the VPN.
(My objective is to host a VPN to which devices (typically things like Raspberry Pi's) and "users" connect, with users having access to the devices but devices not having access to each other or anything else. No doubt this might change in future to require that some devices can access specific other services but they'd always be tied down.)
Does this sound plausible? As an OpenVPN novice, is this something I should park until I know OpenVPN better?
On 16/02/2022 15:51, Mark Rogers wrote:
Just playing with ideas really but I would like to try setting up a VPN, accessed over IPv4, but where everything within it is IPv6. There's a few reasons, but they're mostly that I don't know enough IPv6 so it would force me to get to grips with it when working within the VPN.
Er....
I'm not an expert on VPNs or IPV6. Bear that in mind.
AFAIK, devices on an IPV6 network have a private IP6 address, and can have a public IP6 address if you required. The public address should be globally unique, so that you can access a device from out in the internet without having to do NAT (network address translation) like you have to do in IPV4. This is basically the part of the point of IP6. Obviously there has to be a route set up somewhere (via a VPN) and access through any firewalls.
This suggests to me that you should access the VPN that you want to set up using IP6 throughout. If you want to access it from IPV4, you'll have to do NAT, and/or do something like "tunnelling" IP6 over IP4, or do some sort of transfer process to map IP4 to IP6. But why? Why do that when IP6 is designed to avoid the need.
(My objective is to host a VPN to which devices (typically things like Raspberry Pi's) and "users" connect, with users having access to the devices but devices not having access to each other or anything else. No doubt this might change in future to require that some devices can access specific other services but they'd always be tied down.)
This paragraph suggests to me that what you're trying to set up a DMZ, as often seen on routers. A DMZ is a "De Militarised Zone". Basically an area of your network that has highly restricted access. Alternatively, just firewall all the devices on your network and only open ports that you need. To me (not an expert), this doesn't sound like a job for the VPN to me.
Does this sound plausible? As an OpenVPN novice, is this something I should park until I know OpenVPN better?
Yes.
I've used PiVPN which created a simple wrapper over OpenVPN. Presumably this was done because OpenVPN was hard to configure easily.
I'd suggest that you just install PiVPN on a Pi and go with that. PiVPN now defaults to using Wireguard. If you want to use OpenVPN, make sure you install it with the right option to pick OpenVPN.
If you want to learn how to use IPV6, I suggest that you just make sure that most/all of the machines on your network have IP6 enabled, and check that they're using it. If/when it's working, check it's working by turning off IP4 (by firewalling it?).
Anyway, that's my 2p FWIW. Not a expert, as I said.
Hope it helps.
Steve
On Wed, 16 Feb 2022 at 20:49, steve-ALUG@hst.me.uk wrote:
AFAIK, devices on an IPV6 network have a private IP6 address, and can have a public IP6 address if you required.
No public IP needed. The VPN is only for the purposes of accessing resources on the VPN.
So my laptop would join the VPN, get an IPv6 address on the VPN, and would then be able to access devices which had similarly connected to the VPN, using IPv6.
This suggests to me that you should access the VPN that you want to set up using IP6 throughout.
I don't see any reason why the VPN server host IP can't be IPv4; the oVPN config on my laptop would use IPv4 to connect to it and establish the VPN connection, but the VPN interface that was thus created would only have an IPv6 address.
I don't know how routing works with IPv6 (so I don't know how my laptop would work out to use the VPN connection to access certain IPv6 addresses and my default gateway for others) but that's because I am stuck in an IPv4 mindset and part of the rationale for doing this is to force myself to gain those skills; as long as there's an IPv4 option for connecting to something I'm going to use that because I don't have to think about it. (I don't want to use IPv6 to access the VPN, primarily because my ISP doesn't support it, and some of the devices will be using SIM cards from mobile providers who don't support it.)
This paragraph suggests to me that what you're trying to set up a DMZ, as often seen on routers.
That comment suggests I misled you as to my goal!
The architecture would be: - Server1 - cloud hosted oVPN server - PC1, PC2, PC3 - laptops and PCs that use IPv4 to connect to Server1 where they obtain IPv6 addresses (local to that VPN) - Dev1, Dev2, Dev3 - devices which similarly connect using IPv4 (eg via mobile network) to Server1 where they also get an IPv6 address - Once connected, PC1 would be able to access (eg SSH into) Dev1, Dev2, Dev3. Dev1/2/3 would not be able to access each other or anything else.
I'd suggest that you just install PiVPN on a Pi and go with that. PiVPN now defaults to using Wireguard.
I need to remain hardware agnostic. Whilst I have several Pi's I also have some OpenWrt devices that support oVPN which I'd want to include.
If you want to learn how to use IPV6, I suggest that you just make sure that most/all of the machines on your network have IP6 enabled, and check that they're using it. If/when it's working, check it's working by turning off IP4 (by firewalling it?).
I've done that in the past (without disabling IPv4) but I always fall back to IPv4. I can't disable IPv4 as it would affect other people. This VPN would be a new thing so baking IPv6 in from the start means nothing gets broken by trying to transition to IPv6 later.
Hi Mark,
Yet another non VPN expert here :)
I was playing with a Fortinet setup recently and I think it must be durable. You would have IPv4 for your VPNclient to connect to (that would have to be an Internet routable IP) and if you configure IPv6 inside your network client should be re-routed to the resource. My guess would be that the client will get local IPv6 "nat-ed" from the OpenVPN. Working IPv6 DNS will probably be a good thing to start with.
You can control data flow by setting firewall rules for clients and "servers"
Give it a go but remember to block all but necessary ports visible from the Internet.
Cheerio! Bart
W dniu środa, 16 lutego 2022 Mark Rogers mark@more-solutions.co.uk napisał(a):
Just playing with ideas really but I would like to try setting up a VPN, accessed over IPv4, but where everything within it is IPv6. There's a few reasons, but they're mostly that I don't know enough IPv6 so it would force me to get to grips with it when working within the VPN.
(My objective is to host a VPN to which devices (typically things like Raspberry Pi's) and "users" connect, with users having access to the devices but devices not having access to each other or anything else. No doubt this might change in future to require that some devices can access specific other services but they'd always be tied down.)
Does this sound plausible? As an OpenVPN novice, is this something I should park until I know OpenVPN better?
-- Mark Rogers // More Solutions Ltd (Peterborough Office) // 0344 251 1450 Registered in England (0456 0902) 21 Drakes Mews, Milton Keynes, MK8 0ER _______________________________________________ To unsubscribe send an email to main-leave@lists.alug.org.uk http://www.alug.org.uk/ Unsubscribe? See message headers or the web site above!
On Thu, 17 Feb 2022 at 08:58, B D dzidek23@gmail.com wrote:
Yet another non VPN expert here :)
It doesn't help that oVPN isn't particularly user friendly!
You would have IPv4 for your VPNclient to connect to (that would have to be an Internet routable IP) and if you configure IPv6 inside your network client should be re-routed to the resource.
Sounds right to me
My guess would be that the client will get local IPv6 "nat-ed" from the OpenVPN.
This is where I stray into my lack of IPv6 knowledge (I understand NAT on IPv4 but I'm starting as a complete IPv6 novice - that is of-course the point of this exercise!)
Working IPv6 DNS will probably be a good thing to start with.
True: I hadn't thought about how to map devices to IPv6 addresses. But assuming I had a DNS server within the VPN, I wouldn't want all my (non-VPN) DNS queries being sent there. Is there a good solution to this?
-
B D -
Mark Rogers -
steve-ALUG@hst.me.uk